Welcome! Log In Create A New Profile

Re: nginx 0day exploit for nginx + fastcgi PHP

Forum List Message List New Topic Print View

mike

January 26, 2011 11:16PM

Registered: 15 years ago
Posts: 833

it's not a vulnerability with nginx, it's a widespread configuration
misstep teamed up with what I consider to be somewhat lazy application
code (it should check filetype and/or convert and normalize it to site
specifications and/or strip extra stuff inside of it ...)

there's a couple different ways to address it with nginx
configuration, and there is a way to address it in application code
too.

doesn't this fix basically say "if there is a period in the path
before the path ends with PHP throw a 403" - because then
/my.directory/foo.php would be denied, right?

location ~ \..*/.*\.php$ {
return 403;
}

On Wed, Jan 26, 2011 at 8:07 PM, gdork <nginx-forum@nginx.us> wrote:
> 40 of my servers were compromised because of this issue and I just found
> out about it...aarrrghhhh.
> There are php cmd shell trojans everywhere now!
>
> I was able to easily replicate this issue, and the cgi.fix_pathinfo=0
> fix did NOT work on my systems.
>
> Adding:
>
> location ~ \..*/.*\.php$ {
> return 403;
> }
>
>
> Did solve the issue however.
>
> It is VERY common for image hosting sites to allow file uploads to the
> web directory.
> Any can upload a php file as an image and immediately execute it.
> nginx should NOT allow the fastcgi backend to execute code in a file
> that does not even exist.
>
> /blah/blah/virusimage.jpg/hello.php should never execute the hidden php
> code inside the file virusimage.jpg
> I wonder how many sites have been trojaned because of this. Ive been
> searching vulnerability databases for days and never came across this
> nginx issue. :(
>
> Posted at Nginx Forum: http://forum.nginx.org/read.php?2,88845,169953#msg-169953
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://nginx.org/mailman/listinfo/nginx
>

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
nginx 0day exploit for nginx + fastcgi PHP	Avleen Vig	May 21, 2010 01:14PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Avleen Vig	May 21, 2010 01:30PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Eren Türkay	May 25, 2010 11:44AM
Re: nginx 0day exploit for nginx + fastcgi PHP	mike	May 21, 2010 01:30PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 21, 2010 01:36PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 21, 2010 01:44PM
Re: nginx 0day exploit for nginx + fastcgi PHP	mike	May 21, 2010 01:52PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 21, 2010 02:16PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian Evans	May 21, 2010 02:30PM
Re: nginx 0day exploit for nginx + fastcgi PHP	mike	May 21, 2010 02:40PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 21, 2010 02:40PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian M. Evans	May 21, 2010 03:10PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 21, 2010 04:46PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian Evans	May 21, 2010 04:58PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 21, 2010 05:20PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian Evans	May 21, 2010 05:54PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 22, 2010 02:10AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian M. Evans	May 22, 2010 01:28AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 22, 2010 01:32AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian Evans	May 22, 2010 03:00AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 22, 2010 03:58AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian M. Evans	May 22, 2010 05:46AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 22, 2010 06:12AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian M. Evans	May 22, 2010 06:22AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 22, 2010 06:26AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian M. Evans	May 22, 2010 06:56AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian M. Evans	May 22, 2010 08:22AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 22, 2010 08:30AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian M. Evans	May 22, 2010 08:48AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian M. Evans	May 22, 2010 06:30PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Jérôme Loyet	May 21, 2010 03:50PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Weibin Yao	May 23, 2010 11:24PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Jérôme Loyet	May 24, 2010 03:00AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Weibin Yao	May 24, 2010 04:20AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Cliff Wells	May 21, 2010 09:00PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Grzegorz Sienko	May 21, 2010 09:24PM
Re: nginx 0day exploit for nginx + fastcgi PHP	mike	May 21, 2010 09:34PM
Re: nginx 0day exploit for nginx + fastcgi PHP	gdork	January 26, 2011 11:07PM
Re: nginx 0day exploit for nginx + fastcgi PHP	mike	January 26, 2011 11:16PM
Re: nginx 0day exploit for nginx + fastcgi PHP	edogawaconan	January 27, 2011 12:28AM
Re: nginx 0day exploit for nginx + fastcgi PHP	mike	January 27, 2011 01:08AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Cliff Wells	May 21, 2010 10:42PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ding Deng	May 22, 2010 09:28AM
Re: nginx 0day exploit for nginx + fastcgi PHP	mike	May 22, 2010 03:30PM
Re: nginx 0day exploit for nginx + fastcgi PHP	brianmercer	May 21, 2010 05:03PM
Re: nginx 0day exploit for nginx + fastcgi PHP	tuurtnt	December 14, 2011 06:26PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Kraiser	February 17, 2012 09:53AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Reinis Rozitis	February 17, 2012 11:42AM
Re: nginx 0day exploit for nginx + fastcgi PHP	zsero	October 30, 2012 01:01PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 241

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018